A Romanian accused of hacking NASA is fighting against an order to pay damages to the space agency.
Victor Faur, 27, from Arad, Romania, was ordered to pay $240,000 in damages by a court after he was found responsible for breaking into multiple systems at NASA, along with computers at the Department of Energy and Navy systems …

COMMENTS

Page:

The US protesteth too much

Whilst an argument can be made that the guy should pay for the cost of fixing any damage he caused to systems, the cost of "putting things completely right" is something that should be born by the organisation.

Its a cost they should have incurred before the incident, and should be incurring on an ongoing basis in any event; NASA is a organisation which has information of economic and military value and its only reasonable to expect the information on its systems to be kept secure.

I'd suspect a charge of about $20,000 would be much more appropriate to conduct an audit of the affected systems and repair any damage caused. $200k is one nought too many and the US claim is two zeros too many.

Charge?

How about paying the guy $20,000 for highlighting their current system administrators incompetence in a non-destructive manner and providing educational material as to what security efforts need to be taken?

If it wasn't this guy, it could've been some other guy with malintent, and then they really could've sustained $250,000 of damage.

As it is, the guy should be lauded for putting his skills to such benign use. In fact, those little security advisories could be considered a damn good CV/resume, so a job offer might be in order too.

Re: Charge?

20 grand?

Going by the US precendents, I will expect you to be fined the full value of my house, plus additional compensation to be paid to my neighbours whose own house values will have been reduced by your criminal activity.

Oh, and my legal fees too.

You're fine with that, right?

I wonder how a court might react to someone complaining that a stranger snuck into their house though an open window, spraypainted 'DON'T LEAVE YOUR WINDOWS OPEN' on the walls? I've got a pretty good idea what their insurers would have to say on the matter.

By that he means

"It's not just the cost of mopping up after the hacker(s), but it's the cost of putting things completely right after the event," he said.

recovering the cost of what should have been fixed in the first place. Cheap way to implement security if you can fine the right people, though they (hackers) should be allowed a reduction for the senior management justification campaign that they ran on NASA's behalf, last time I checked a good awareness campaign across a large organisation was about 1/4 million dollars.

Actually, what he meant

I do believe...

...that the US should be forced to justify the costs and time involved in clearing things up.

If they try and then tag on to this, the costs of closing holes that shouldn't have been open in the first place, then they should be slapped down.

These are ridiculous amounts of money if all that the bloke has done is leave files around.

If I was Romania, I'd be telling the US to detail their claim. Same thing with McKinnon. The US shouldn't be getting away with this. It's a good job that these trials aren't going on in the US, or there'd be no one to pull them up on things like this.

RE: I do believe...

The extent of criminal damage is not based on the security of the damaged property, but on the damage done. If a burglar breaks into your home, the judge trying him doesn't say "Well, they only had cheap locks on the windows so I'll let you off with a lighter sentence." The act of breaking in is still breaking in regardless. SirVic's lame excuse of "I just wanted to tell them they had security issues" is just complete male bovine manure, he wanted to brag about what a 1337 haxor he was and so defaced their sites. If all he wanted to do was warn them of problems he could have done so in an anonymous snail-mail letter.

I really hope the damages actually get ramped up to send out a message to the skiddies - you may think you're oh-so-clever, but you will get caught and you will be made to pay for your crimes.

Ah...

..yeh, but the judge doesn't make the burglar pay for the windows. Or if so, only damage to the windows to bring back to the level they were and certainly not to replace rotting wooden frames with state of the art uPVC with security bars.

Arguments

I now find that I am torn as to which way to go,on the one hand I hate 'hackers' (*) per se, but this one doesn't seem to have done a lot of damage ..... 1/4 million does seem a fair bit of spare change.

Decisions .... tend to agree with Matt most times on things, but have been reading Michelles blog..... and trying to find her web site.......

OK pop corn ready ......will see if any thing else appears on this story.

(*) by hackers I mean the script kiddies, anonymous, dulzsec etc. Apologies as I know this term can refer to rather more skilled denizens on the interwebs.

Excuses

It seems that whenever a hacker gets caught they stump up the "I was advising on security holes" excuse. As commendable as this may be, they're still breaking the law. When I started reading the news item I thought "$240k. That's expensive." But the more I read it, the more I think it's justified. There has to be a deterrant, and being whacked with a huge fine or a suspended or custodial sentence seems to be the most logical step. Hackers need to be stopped. End of. The more we play down the actions and outcomes of hacking and showing leniency because "they're actually helping us get safer", the more hacking will continue. It's only a matter of time before some hidden damage leads to someone getting injured, or worse.

The fine isn't the deterernt

The deterrent is the prison sentence. The fine is for damages causes to the system, which do appear overinflated, given that much of what seemingly needed to be done using that money was stuff that should have been done anyway, in order to make the system secure.

I'm not saying what he did was right - it wasn't - just that the damages claim is over the top.

erm

@Justin Clements

You try getting a 'suspended prison sentence'. It is a punishment, one that will affect his entire life. _IF_ he gets caught, and convicted, for anything else during the period of his sentence then he goes inside.

RE: Clean up costs...

One of my colleagues has a vintage Porsche Speedster (yeah, I know, a girl with a car like that, and she's a weekend eco-warrior type too!) which was keyed last summer. The vandal scartched his tag into her paintwork. Are you saying that the gormless cretin, that vandalised her car out of petty spite and jealousy, should be let off because her classic car didn't have a modern proximity alarm? There is zero difference between acts of physical vandalism and those in cyberspace - they both have monetary impact and cause distress to their victims, and they are both the acts of small-minded idiots without any real excuse for their actions.

RE: @Matt Bryant

But the additional costs are for the security review the hack caused. And that was a direct result of SirVic's actions, so therefore I think it is justifiable. Anyway, this is NASA, notorious for their $20,000 hammers, don't you think they can be creative with the accounting to make it look like the cost of the added security was actually the cost of reviewing the hack?

I suspect the real issue is the comedy sentence passed down by the Romanian court, so the Yanks want to hammer him a bit more.

RE: RE: RE: @Matt Bryant

".....Surely that should be minimal with an effective backup regime?" You're just highlighting another area of cost. Not only do you have to rebuild your server from scratch - just to be sure, we're talking ANYTHING that could be recoded, so that's reloading the BIOS, checking the components like cards with writeable firmware - and then re-intsalling from a gold image as you may not actually know if your backup has been infected or altered. If the last backup was taken after the hack had started you are going to have to assume it is unreliable. Go ahead, keep pointing out ways the NASA charges are justifiable.

When will the lessons be learned?

As the quote from the (inevitable) Security Professional put it '..."It's not just the cost of mopping up after the hacker(s), but it's the cost of putting things completely right after the event," he said...'

So when ANY (setting aside its NASA, the Navy, the DoE etc in this case) organization does that risk assessment 'thing' and goes, "You know, what? Its just so unlikely we'll get hacked, we can risk not spending the *estimated* money..." then who's truly at fault?

IMHO, the guy's a hacker; he should be penalised proportionately and an organisation that tries to claim damages due to being hacked is at liberty to do so BUT they can only claim, as a maximum, the amount of spend they 'averted' by not properly bolting the doors... This guy's lawyer's would probably be best served by asking for that kind of information to bolster their defence, do the 'depreciated asset' calcs etc... Of course, such organisation's would then have to explain their lack of understanding of the liabilities the 'averted spend' truly represented...

RE: Re: only 240K?

Well, first you have to determine the extent of the hack - has he played at childish vandal and defaced your webserver, but has he also been smart and hidden some nasties on your deployment or management servers? Are you simply reinstalling with added backdoors that means the idiot and other likeminded cretins are actually going to be back in there five minutes after you reinstall? Not so simple, is it?

When you do a clean-up after one of these childish vandals, you have to start from the assumption that anything connected to the known-bad system is also compromised and then work backwards to prove each item is either clean or is stays on the rebuild list. And when I say "connected", that means if someone has plugged a USB device into one of the bad machines and then used it elsewhere you have to assume every machine that USB device has been used with is also on the rebuild list. In an environment with thousands of servers, suddenly a clean-up bill of $240k starts to look very reasonable.

Costs

an experienced consultant costs more than 1000$ per day. as all the vultures here said, there is an audit of the system or a re-install, clean up or audit the archives, change encryption keys maybe (which in some cases cost 2000 per certificate), 240.000 = 240 days means only 2 months for a team of 5 people.

All in all 240.000 is quite reasonable. The hacker should be forced to work to pay these money if he doesn't have it, whatever his reasons what he did was against the law.

Hackers get this into your heads

All you ID10Ts who think he should be thanked?

Just remember that the nex ttime some burglar breaks into your upstairs window and does anything in YOUR abode. I'm sure letting him off with a Thank You for letting you know just how crapy your security is will be just fine with you at that point...........

The lot of you should be 'thanked' by NASA and then spaced out the airlock!

Or a locksmith...

RE: @AC

"If you leave your upstairs window open and a ladder nearby...." You really haven't got a clue about how the law works, do you? Regardless of whether you enter a property through an open window or by breaking and entering, if you are not invited in then you are tresspassing. If you remove the owner's belongings from the property without their permission you are committing theft, regardless of how you got in, and if you spray paint their walls it is still vandalism and destruction of property.

If you worked in real IT you'd know this because even your work desktop/laptop would have a login banner saying something like "This system belongs to Company X, only authorised people of Company X can use this system, if you log in and are not authorised you are in breach of law XYZ". By continuing further, even if you are using the correct login credentials for a real user, you are committing a cybercrime. You usually have to click to go past the banner, which is taken as you being aware you are breaking the law but carrying on regardless, which makes if easy for the prosecution to then send you down. I can just about guarantee any NASA system that SirVic hacked would have had just such a warning banner.

NASA Hacking all too easy

I was looking for a document referenced on another site yesterday that was supposedly hosted at a NASA site. I ended up at a page which had stuff like "All your IP addresses and keystrokes belong to us" on it. On reading the fine print I discovered it was a stern warning to hackers along the lines of those "FBI investigates piracy", I was at some unauthorized webpage.

Oh dear. I must have just hacked NASA. Except that this page is supposed to be public and it had better be because as a taxpayer I have the right to access it unless its national security related (FORTH? National Security?).

I think NASA's got the same problem as GCHQ. Anybody who knows what they're doing has long decamped to somewhere that pays a lot better.